Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A cloud-init file for creating an OpenVPN server (with 2 client profiles).
#cloud-config
apt_update: true
packages:
- openvpn
- easy-rsa
runcmd:
- IPADDR=$(dig +short myip.opendns.com @resolver1.opendns.com)
- gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
- sed -i -e 's/;cipher DES-EDE3-CBC \# Triple-DES/;cipher DES-EDE3-CBC \# Triple-DES\ncipher AES-256-CBC/' /etc/openvpn/server.conf
- sed -i -e 's/dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf
- sed -i -e 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' /etc/openvpn/server.conf
- sed -i -e 's/;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 208.67.222.222"/' /etc/openvpn/server.conf
- sed -i -e 's/;push "dhcp-option DNS 208.67.220.220"/push "dhcp-option DNS 208.67.220.220"/' /etc/openvpn/server.conf
- sed -i -e 's/;user nobody/user nobody/' /etc/openvpn/server.conf
- sed -i -e 's/;group nogroup/group nogroup/' /etc/openvpn/server.conf
- echo 1 > /proc/sys/net/ipv4/ip_forward
- sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
- ufw allow ssh
- ufw allow 1194/udp
- sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
- sed -i "1i# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0]\n# Allow traffic from OpenVPN client to eth0\n\n-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES\n" /etc/ufw/before.rules
- ufw --force enable
- cp -r /usr/share/easy-rsa/ /etc/openvpn
- mkdir /etc/openvpn/easy-rsa/keys
- sed -i -e 's/KEY_NAME="EasyRSA"/KEY_NAME="server"/' /etc/openvpn/easy-rsa/vars
- openssl dhparam -out /etc/openvpn/dh2048.pem 2048
- cd /etc/openvpn/easy-rsa && . ./vars
# Optionally set indentity information for certificates:
# - export KEY_COUNTRY="<%COUNTRY%>" # 2-char country code
# - export KEY_PROVINCE="<%PROVINCE%>" # 2-char state/province code
# - export KEY_CITY="<%CITY%>" # City name
# - export KEY_ORG="<%ORG%>" # Org/company name
# - export KEY_EMAIL="<%EMAIL%>" # Email address
# - export KEY_OU="<%ORG_UNIT%>" # Orgizational unit / department
- cd /etc/openvpn/easy-rsa && ./clean-all
- cd /etc/openvpn/easy-rsa && ./build-ca --batch
- cd /etc/openvpn/easy-rsa && ./build-key-server --batch server
- cp /etc/openvpn/easy-rsa/keys/server.crt /etc/openvpn
- cp /etc/openvpn/easy-rsa/keys/server.key /etc/openvpn
- cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn
- service openvpn start
- cd /etc/openvpn/easy-rsa && ./build-key --batch client1
- cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client1.ovpn
- sed -i -e "s/;cipher x/cipher AES-256-CBC/" /etc/openvpn/easy-rsa/keys/client1.ovpn
- sed -i -e "s/my-server-1/$IPADDR/" /etc/openvpn/easy-rsa/keys/client1.ovpn
- sed -i -e 's/;user nobody/user nobody/' /etc/openvpn/easy-rsa/keys/client1.ovpn
- sed -i -e 's/;group nogroup/group nogroup/' /etc/openvpn/easy-rsa/keys/client1.ovpn
- sed -i -e 's/ca ca.crt//' /etc/openvpn/easy-rsa/keys/client1.ovpn
- sed -i -e 's/cert client.crt//' /etc/openvpn/easy-rsa/keys/client1.ovpn
- sed -i -e 's/key client.key//' /etc/openvpn/easy-rsa/keys/client1.ovpn
- echo "<ca>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn
- cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client1.ovpn
- echo "</ca>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn
- echo "<cert>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn
- openssl x509 -outform PEM -in /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/easy-rsa/keys/client1.ovpn
- echo "</cert>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn
- echo "<key>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn
- cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/easy-rsa/keys/client1.ovpn
- echo "</key>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn
- cd /etc/openvpn/easy-rsa && ./build-key --batch client2
- cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client2.ovpn
- sed -i -e 's/;cipher x/cipher AES-256-CBC/' /etc/openvpn/easy-rsa/keys/client2.ovpn
- sed -i -e "s/my-server-1/$IPADDR/" /etc/openvpn/easy-rsa/keys/client2.ovpn
- sed -i -e 's/;user nobody/user nobody/' /etc/openvpn/easy-rsa/keys/client2.ovpn
- sed -i -e 's/;group nogroup/group nogroup/' /etc/openvpn/easy-rsa/keys/client2.ovpn
- sed -i -e 's/ca ca.crt//' /etc/openvpn/easy-rsa/keys/client2.ovpn
- sed -i -e 's/cert client.crt//' /etc/openvpn/easy-rsa/keys/client2.ovpn
- sed -i -e 's/key client.key//' /etc/openvpn/easy-rsa/keys/client2.ovpn
- echo "<ca>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn
- cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client2.ovpn
- echo "</ca>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn
- echo "<cert>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn
- openssl x509 -outform PEM -in /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/easy-rsa/keys/client2.ovpn
- echo "</cert>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn
- echo "<key>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn
- cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/easy-rsa/keys/client2.ovpn
- echo "</key>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn
- mkdir /home/openvpn
- cp /etc/openvpn/easy-rsa/keys/client1.ovpn /home/openvpn
- cp /etc/openvpn/easy-rsa/keys/client2.ovpn /home/openvpn
- chmod +r /home/openvpn/client1.ovpn
- chmod +r /home/openvpn/client2.ovpn
@wanderernxa

This comment has been minimized.

Copy link

commented Nov 7, 2018

Did you have to create a new install of OpenVPN AS on a centos / ubuntu machine w/ cloud-init enabled to be able to do this?

thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.